Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2015-03-04 03:57:37
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
ata5577 passwords and locking bits.
Are there any known weaknesses in the ata5577 password protection mode?
or wake with password mode?
or block locking bits?
(Other than snooping the writing of the tag.)
Offline
#2 2015-03-04 09:56:47
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,507
- Website
Re: ata5577 passwords and locking bits.
By the simple one I understood from it, is the block lock bits is wrong then the password block could be read.
Offline
#3 2015-03-04 14:10:18
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: ata5577 passwords and locking bits.
Not sure about that, but I know if the config block is set wrong it (to output 7 blocks) it will transmit all its memory including the block used as a password. But that is why the spec docs tell you not to set that to 7 if you use the password mode.
Offline
#4 2015-03-04 14:45:00
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,507
- Website
Re: ata5577 passwords and locking bits.
yup, thats what I meant.
but how many hasn't gotten that wrong?
How about adding a pwd to a t55x7 tag and see if there are any timings issues, (like an oracle attack) for wrong vs correct password. If we can get that down, it will be easy to bruteforce it. Or what do you think?
Offline
#5 2015-03-04 15:53:44
- asper
- Contributor
- Registered: 2008-08-24
- Posts: 1,409
Re: ata5577 passwords and locking bits.
This is a good idea iceman.
Offline
#6 2015-03-04 15:59:09
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: ata5577 passwords and locking bits.
So the idea is it would take a different amount of time to reject the bad password for each correct byte guessed correctly?
Offline
#7 2015-03-04 17:03:43
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,507
- Website
Re: ata5577 passwords and locking bits.
Yes, that would be the assumption we'll be trying to verify. Somewhere the line that a bad password gets rejected faster OR slower than a correct one.
We'll need to time it.. but then t55x7 might not respond to a faulty pwd command but silently discard it.
Offline
#8 2015-03-04 18:31:02
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: ata5577 passwords and locking bits.
The tag may not respond on a bad password but there may be an interruption to the data stream it is always outputting (except wake on password configured cards.)
Offline
#9 2015-03-04 18:33:10
- marshmellow
- Contributor
- From: US
- Registered: 2013-06-10
- Posts: 2,302
Re: ata5577 passwords and locking bits.
However, I have no clue how we could measure the time accurate enough to tell anyway, it would no doubt be very small.
Offline
#10 2015-03-04 19:44:01
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,507
- Website
Re: ata5577 passwords and locking bits.
well, research, or the wild frontier!
Offline